Compliance and Regulatory Frameworks

Guidelines and best practices influencing today’s organizations

At a Glance:

Compliance and regulatory frameworks are sets of guidelines and best practices. Organizations follow these guidelines to meet regulatory requirements, improve processes, strengthen security, and achieve other business objectives (such as becoming a public company, or selling cloud solutions to government agencies).
These frameworks give us a common language that can be used from the server room to the boardroom. These standards are leveraged by:

  • Internal auditors and other internal stakeholders to evaluate the controls in place within their own organization.
  • External auditors to evaluate and attest to the controls in place within an organization.
  • Third parties (potential customers, investors, etc.) to evaluate the potential risks of partnering with an organization.

Achieving compliance within a regulatory framework is an ongoing process. Your environment is always changing, and the operating effectiveness of a control may break down. Regular monitoring and reporting is a must, and guidance on exactly what “regular monitoring” entails is also outlined within each framework.
If you work with or are part of an information security (IS) team, here are some of the regulatory frameworks you might come across:

Sarbanes-Oxley (SOX)

  • Why does it exist? The Sarbanes-Oxley Act of 2002 was passed to counteract fraud after accounting scandals at Enron, WorldCom, and Tyco impacted investor trust. These controls are mandatory for public companies.
  • If you’re on an IS team, how will this impact you? There are various security requirements for applications and systems that process financial data. Requirements around access management, general IT controls (ITGCs), and entity-level controls may need to be managed by the IS team.
  • What types of organizations leverage this framework? Public companies, or companies eyeing a potential initial public offering (IPO). 

PCI DSS

  • Why does it exist? The Payment Card Industry Data Security Standard (PCI DSS) exists to protect the security of cardholder data. These controls are mandatory for organizations that process credit card data. The standards are made up of multiple levels, and the extent to which your organization interacts with credit card data will determine what level of PCI compliance your organization needs to achieve. For example, banks, merchants, and service providers will be held to higher standards given the nature of the business.
  • If you’re on an IS team, how will this impact you? Aside from enforcing certain procedures and controls based on your PCI DSS level, you may have to complete self-assessment questionnaires, quarterly network scans, and on-site independent security audits. 
  • What types of organizations leverage this framework? Merchants, payment card-issuing banks, processors, developers, and other vendors.

NIST

  • Why does it exist? Unlike SOX, NIST not a singular set of controls. NIST, or the National Institute of Standards and Technology, is a federal agency within the US Chamber of Commerce that spans manufacturing, quality control, and security, among others. The agency collaborated with security industry experts, other government agencies, and academics to establish a set of controls and balances to help operators of critical infrastructure manage cybersecurity risk. Today, many organizations leverage NIST guidelines to manage and reduce risks that could impact their environment and their customers. Unlike some other frameworks, NIST is voluntary, however customers may require that some of the controls be in place before they will partner with you.
  • If you’re on an IS team, how will this impact you? If you’re on the IS team of an organization that leverages NIST, you’ll play a large role in identifying, defining, and enforcing the controls that are governed by the standard. For example, when determining how your organization will handle vulnerability scanning, you may follow the guidance outlined in NIST 800-53 Risk Assessment RA 5, which spells out best practices for the frequency of scans, the type of scanning that should be done, what to do with the results of these scans and more.
  • What type of organizations leverage this framework? This is generally leveraged by large business enterprises and government agencies, but it can be a helpful framework for any organization interested in evaluating and reducing cyber risk.

SSAE-16

  • Why does it exist? Statement on Standards for Attestation Engagements No. 16 (SSAE-16) monitors and enforces controls around the applications and application infrastructure that impact financial reporting. It covers business process controls and IT general controls. Service organization controls (SOC) 1 reports, formerly known as SAS 70 reports, leverage the SSAE-16 framework.
  • If you’re on an IS team, how will this impact you? The SSAE-16 framework outlines many general best practices, but it is also a mandatory part of the SOX compliance process. In organizations that fall under SOX (as noted above, this includes public companies or companies about to IPO), specific stakeholders will need to review SOC 1 reports for any applications that are deemed in scope for SOX compliance (generally these are applications that processes financial data). After reviewing the reports, these stakeholders will need to decide if the organization can accept any associated risks that were reported.
  • What type of organizations leverage this framework? Types of companies that usually get SOC 1 reports, or companies that provide applications used to process financial information and that will ultimately affect financial statements.

AT-101

  • Why does it exist? SOC 2 reports are based on the AT-101 auditing standard. SOC 2 reports test the design or operating effectiveness of security, availability, processing integrity, confidentiality, and/or privacy controls. All SOC 2 reports need to cover security controls. Availability, processing integrity, confidentiality, and/or privacy controls are optional principles that a company may opt to include if those controls are integral to providing a service. AT-101 SOC 2 reports are based on the Trust Service Principles, which are tied to the security controls listed above.
  • If you’re on an IS team, how will this impact you? Reviewing SOC 2 reports from other organizations can reveal how partnering with them could introduce risk into your environment.
  • What type of organizations leverage this framework? Software as a Service (SaaS) providers, cloud computing companies, and other technology-related services will often get SOC 2 reports for their solutions.

FedRAMP

  • Why does it exist? FedRAMP is a standardized way for government agencies to evaluate the risks of cloud-based solutions. It follows a “do it once, use it many times” approach, allowing existing security assessments and packages to be reused across multiple agencies. Since continuous monitoring of cloud products and services is at the core of the framework, it can improve real-time security visibility for organizations.
  • If you’re on an IS team, how will this impact you? If you work at a government agency, you will use FedRAMP packages to decide whether it makes sense to leverage specific cloud-based solutions.
  • What type of organizations leverage this framework? Cloud solution providers interested in selling to federal government agencies will go through the FedRAMP certification process.

ISO (International Organization for Standardization)

  • Why does it exist? ISO exists to be an international suite of standards. There are different sub-frameworks within ISO, and the sub-framework that is most relevant to your organization/industry depends on your goals. For example, a manufacturing organization would be likely to leverage the sub-framework ISO 9000, because the controls in this framework are focused on quality management. An organization looking to improve processes around information security management systems would derive more helpful guidance from the controls outlined in ISO 27000. For more on the ISO standards and which ones are most relevant to your organization, visit ISO.org.
  • If you’re on an IS team, how will this impact you? Your team may use this framework to improve and report on quality management and security.
  • What types of organizations leverage this framework? Any organization, whether public or private, could use this framework to improve and report on quality management and security.

Privacy Shield (replaced US-EU Safe Harbor)

  • Why does it exist? US-EU Safe Harbor was created to ensure US companies complied with European Union data protection standards when transferring European data to the States. It was invalidated by a European court in 2015, in relation to controversy over Edward Snowden and the NSA leaks. The Privacy Shield Framework was put in place to replace it. It exists to safeguard or mitigate the risk of data being tampered with while it’s transferred between these two geographic regions. It enables US companies to more easily receive personal data from the EU under EU privacy laws meant to protect European citizens; this allows for a more free exchange of data, which is good for commerce.
  • What type of organizations leverage this framework? Organizations collecting, storing or processing personal data between the EU and US. US companies can self-certify that they will comply with EU data protection standards in order to allow for transfer of European data to the US.
  • If you’re on an IS team, how will this impact you? Your team may be involved in the process of joining the Privacy Shield Framework, and enforcing related controls.

HIPAA/HITECH

  • Why does it exist? HIPAA/HITECH enforces security to protect Personal Health Information (PHI).
  • What type of organizations leverage this framework? Anyone who is collecting, storing or processing personal health information (PHI), including hospitals, medical providers, and insurance companies.
  • If you’re on an IS team, how will this impact you? If you’re collecting this information, you’ll need to have controls in place to make sure it’s secure.

These are only some of the compliance and regulatory frameworks your organization may need to adhere to. Achieving compliance will be an ongoing process, but regular monitoring and reporting can help make adhering to these frameworks (and maintaining a secure environment) a standard part of business operations.